Fix breakages with the review group user resource.

Review Request #4727 — Created Oct. 11, 2013 and submitted

Information

Review Board
master

Reviewers

Fix breakages with the review group user resource.

This resource broke with the latest webapi security fixes, due to
setting model_parent_key. This broke when a user was in more than one
group at a time, since it would try to do a get() on the parent
relationship, which would produce more than one group.

The solution is to remove the model_parent_key field, and make use of
the new has_list_access_permissions instead.

Along with this, there were some incorrect checks for permissions for
access and deletion. While this looks like a security problem, it
wasn't, because these were actually redundant. For item access, the
users are available anyway (through the users resource), and for
deletion, the deletion handler itself does the correct check to ensure
the user is allowed to delete.

Unit tests pass.

Could build the docs.

david
  1. Ship It!

  2. 
      
chipx86
Review request changed
Status:
Completed